mirror of
git://git.gnupg.org/gnupg.git
synced 2024-12-22 10:19:57 +01:00
Documentaion updates.
Support doe Dirmngr under W32. Fixed a yat2m bug.
This commit is contained in:
parent
74d344a521
commit
d20d11a0ee
6
NEWS
6
NEWS
@ -1,4 +1,4 @@
|
||||
Noteworthy changes in version 2.0.6
|
||||
Noteworthy changes in version 2.0.6 (2007-08-14)
|
||||
------------------------------------------------
|
||||
|
||||
* GPGSM does now grok --default-key.
|
||||
@ -8,6 +8,10 @@ Noteworthy changes in version 2.0.6
|
||||
* GPGSM does again correctly print the serial number as well the the
|
||||
various keyids. This was broken since 2.0.4.
|
||||
|
||||
* New option --validation-model and support for the chain-model.
|
||||
|
||||
* Imporved Windows support.
|
||||
|
||||
|
||||
Noteworthy changes in version 2.0.5 (2007-07-05)
|
||||
------------------------------------------------
|
||||
|
9
TODO
9
TODO
@ -110,6 +110,7 @@
|
||||
* Remove -sat PGP2 compatibility hack
|
||||
|
||||
* UTF-8 specific TODOs
|
||||
None.
|
||||
|
||||
* Pinpad Reader
|
||||
We do not yet support P15 applications. The trivial thing using
|
||||
@ -124,11 +125,7 @@
|
||||
* Howtos
|
||||
** Migrate OpenPGP keys to another system
|
||||
|
||||
|
||||
* do_add_recipient
|
||||
Prints wrong error message even when decrypting.
|
||||
*Decrypt* does even not work in this case.
|
||||
|
||||
* Duplicate certifciates
|
||||
This may happen and lead to an Ambiguous Name error. Solution is to
|
||||
check the certs for identity beforethorwin this error.
|
||||
check the certs for identity before throwing this error.
|
||||
|
||||
|
@ -1,3 +1,7 @@
|
||||
2007-08-14 Werner Koch <wk@g10code.com>
|
||||
|
||||
* homedir.c (dirmngr_socket_name): New.
|
||||
|
||||
2007-08-07 Werner Koch <wk@g10code.com>
|
||||
|
||||
* tlv.c, tlv.h: Move from ../scd/.
|
||||
|
@ -290,6 +290,29 @@ gnupg_datadir (void)
|
||||
}
|
||||
|
||||
|
||||
/* Return the default socket name used by DirMngr. */
|
||||
const char *
|
||||
dirmngr_socket_name (void)
|
||||
{
|
||||
#ifdef HAVE_W32_SYSTEM
|
||||
static char *name;
|
||||
|
||||
if (!name)
|
||||
{
|
||||
const char *s1, *s2;
|
||||
s1 = w32_rootdir ();
|
||||
s2 = DIRSEP_S "S.dirmngr";
|
||||
name = xmalloc (strlen (s1) + strlen (s2) + 1);
|
||||
strcpy (stpcpy (name, s1), s2);
|
||||
}
|
||||
return name;
|
||||
#else /*!HAVE_W32_SYSTEM*/
|
||||
return "/var/run/dirmngr/socket";
|
||||
#endif /*!HAVE_W32_SYSTEM*/
|
||||
}
|
||||
|
||||
|
||||
|
||||
/* Return the file name of a helper tool. WHICH is one of the
|
||||
GNUPG_MODULE_NAME_foo constants. */
|
||||
const char *
|
||||
|
@ -178,6 +178,7 @@ const char *gnupg_bindir (void);
|
||||
const char *gnupg_libexecdir (void);
|
||||
const char *gnupg_libdir (void);
|
||||
const char *gnupg_datadir (void);
|
||||
const char *dirmngr_socket_name (void);
|
||||
|
||||
#define GNUPG_MODULE_NAME_AGENT 1
|
||||
#define GNUPG_MODULE_NAME_PINENTRY 2
|
||||
|
@ -1,3 +1,15 @@
|
||||
2007-08-14 Werner Koch <wk@g10code.com>
|
||||
|
||||
* glossary.texi (Glossary): Add a more items.
|
||||
|
||||
2007-08-13 Werner Koch <wk@g10code.com>
|
||||
|
||||
* yat2m.c (proc_texi_cmd): Do not put @samp content between two
|
||||
newlines.
|
||||
|
||||
* gpg-agent.texi (Agent Configuration): Explain the CM flag for
|
||||
trustlist.txt.
|
||||
|
||||
2007-08-09 Werner Koch <wk@g10code.com>
|
||||
|
||||
* gpgsm.texi (Certificate Options): Describe --validation-model.
|
||||
|
@ -12,6 +12,21 @@
|
||||
@acronym{CRL} but used for @acronym{CA}s and not for end user
|
||||
certificates.
|
||||
|
||||
@item Chain model
|
||||
Verification model for X.509 which uses the creation date of a
|
||||
signature as the date the validation starts and in turn checks that each
|
||||
certificate has been issued within the time frame, the issuing
|
||||
certificate was valid. This allows the verification of signatures after
|
||||
the the CA's certificate expired. The validation test also required an
|
||||
online check of the certificate status. The chain model is required by
|
||||
the German signature law. See also @emph{Shell model}.
|
||||
|
||||
@item CMS
|
||||
The @emph{Cryptographic Message Standard} describes a message
|
||||
format for encryption and digital signing. It is closely related to the
|
||||
X.509 certificate format. @acronym{CMS} was formerly known under the
|
||||
name @code{PKCS#7} and is described by @code{RFC3369}.
|
||||
|
||||
@item CRL
|
||||
The @emph{Certificate Revocation List} is a list containing
|
||||
certificates revoked by the issuer.
|
||||
@ -21,6 +36,12 @@ certificates revoked by the issuer.
|
||||
ask them to issue a new certificate. The data format of such a signing
|
||||
request is called PCKS#10.
|
||||
|
||||
@item OpenPGP
|
||||
A data format used to build a PKI and to exchange encrypted or
|
||||
signed messages. In contrast to X.509, OpenPGP also includes the
|
||||
message format but does not explicilty demand a specific PKI. However
|
||||
any kind of PKI may be build upon the OpenPGP protocol.
|
||||
|
||||
@item Keygrip
|
||||
This term is used by GnuPG to describe a 20 byte hash value used
|
||||
to identify a certain key without referencing to a concrete protocol.
|
||||
@ -37,4 +58,15 @@ store private keys. This is either a smartcard or a collection of files
|
||||
on a disk; the latter is often called a Soft-PSE.
|
||||
|
||||
|
||||
@item Shell model
|
||||
The standard model for validation of certificates under X.509. At the
|
||||
time of the verification all certifciates must be valid and not expired.
|
||||
See also @emph{Chain mode}.
|
||||
|
||||
|
||||
@item X.509
|
||||
Description of a PKI used with CMS. It is for example
|
||||
defined by @code{RFC3280}.
|
||||
|
||||
|
||||
@end table
|
||||
|
@ -493,31 +493,40 @@ This is however not as secure as maintaining this file manually. It is
|
||||
even advisable to change the permissions to read-only so that this file
|
||||
can't be changed inadvertently.
|
||||
|
||||
It is possible to add further flags after the @code{S} for use by the
|
||||
caller. The only flag currently defined is @code{relax} to relax
|
||||
checking of some root certificate requirements.
|
||||
|
||||
As a special feature a line @code{include-default} will include a global
|
||||
list of trusted certificates (e.g. @file{/etc/gnupg/trustlist.txt}).
|
||||
This global list is also used if the local list is not available.
|
||||
|
||||
It is possible to add further flags after the @code{S} for use by the
|
||||
caller:
|
||||
|
||||
@table @code
|
||||
@item relax
|
||||
Relax checking of some root certificate requirements.
|
||||
|
||||
@item cm
|
||||
If validation of a certificate finally issued by a CA with this flag set
|
||||
fails, try again using the chain validation model.
|
||||
|
||||
@end table
|
||||
|
||||
|
||||
@item sshcontrol
|
||||
|
||||
This file is used when support for the secure shell agent protocol has
|
||||
been enabled (@pxref{option --enable-ssh-support}). Only keys present in
|
||||
this file are used in the SSH protocol. The @command{ssh-add} tool y be
|
||||
used to add new entries to this file; you may also add them manually.
|
||||
Comment lines, indicated by a leading hash mark, as well as empty lines
|
||||
are ignored. An entry starts with optional white spaces, followed by
|
||||
the keygrip of the key given as 40 hex digits, optionally followed by
|
||||
the caching TTL in seconds and another optional field for arbitrary
|
||||
flags. A @code{!} may be prepended to the keygrip to disable this
|
||||
entry.
|
||||
This file is used when support for the secure shell agent protocol has
|
||||
been enabled (@pxref{option --enable-ssh-support}). Only keys present
|
||||
in this file are used in the SSH protocol. The @command{ssh-add} tool
|
||||
y be used to add new entries to this file; you may also add them
|
||||
manually. Comment lines, indicated by a leading hash mark, as well as
|
||||
empty lines are ignored. An entry starts with optional white spaces,
|
||||
followed by the keygrip of the key given as 40 hex digits, optionally
|
||||
followed by the caching TTL in seconds and another optional field for
|
||||
arbitrary flags. A @code{!} may be prepended to the keygrip to
|
||||
disable this entry.
|
||||
|
||||
The follwoing example lists exactly one key. Note that keys available
|
||||
through a OpenPGP smartcard in the active smartcard reader are implictly
|
||||
added to this list; i.e. there is no need to list them.
|
||||
The follwoing example lists exactly one key. Note that keys available
|
||||
through a OpenPGP smartcard in the active smartcard reader are
|
||||
implictly added to this list; i.e. there is no need to list them.
|
||||
|
||||
@example
|
||||
# Key added on 2005-02-25 15:08:29
|
||||
|
@ -339,7 +339,8 @@ a running dirmngr can't be connected.
|
||||
@opindex prefer-system-dirmngr
|
||||
If a system wide @command{dirmngr} is running in daemon mode, first try
|
||||
to connect to this one. Fallback to a pipe based server if this does
|
||||
not work.
|
||||
not work. Under Windows this option is ignored because the system dirmngr is
|
||||
always used.
|
||||
|
||||
@item --no-secmem-warning
|
||||
@opindex no-secmem-warning
|
||||
|
@ -449,7 +449,7 @@ proc_texi_cmd (FILE *fp, const char *command, const char *rest, size_t len,
|
||||
{ "code", 0, "\\fB", "\\fR" },
|
||||
{ "sc", 0, "\\fB", "\\fR" },
|
||||
{ "var", 0, "\\fI", "\\fR" },
|
||||
{ "samp", 0, "\n'", "'\n" },
|
||||
{ "samp", 0, "'", "'" },
|
||||
{ "file", 0, "`\\fI","\\fR'" },
|
||||
{ "env", 0, "`\\fI","\\fR'" },
|
||||
{ "acronym", 0 },
|
||||
|
16
sm/ChangeLog
16
sm/ChangeLog
@ -1,3 +1,19 @@
|
||||
2007-08-14 Werner Koch <wk@g10code.com>
|
||||
|
||||
* call-dirmngr.c (start_dirmngr): Use dirmngr_socket_name. change
|
||||
the way infostr is xstrdupped.
|
||||
|
||||
* gpgsm.c (main) [W32]: Make --prefer-system-dirmngr a dummy under
|
||||
Windows.
|
||||
|
||||
2007-08-13 Werner Koch <wk@g10code.com>
|
||||
|
||||
* gpgsm.c (do_add_recipient): Add RECP_REQUIRED and make error
|
||||
message depend on that.
|
||||
(main): Add avriable RECP_REQUIRED, set ift for encryption
|
||||
commands and pass it to do_add_recipient.
|
||||
(our_pk_test_algo, our_cipher_test_algo, our_md_test_algo): Implement.
|
||||
|
||||
2007-08-09 Werner Koch <wk@g10code.com>
|
||||
|
||||
* gpgsm.c (main) [W32]: Enable CRL check by default.
|
||||
|
@ -34,8 +34,6 @@
|
||||
#include "i18n.h"
|
||||
#include "keydb.h"
|
||||
|
||||
/* The name of the socket for a system daemon. */
|
||||
#define DEFAULT_SOCKET_NAME "/var/run/dirmngr/socket"
|
||||
|
||||
struct membuf {
|
||||
size_t len;
|
||||
@ -155,14 +153,23 @@ start_dirmngr (void)
|
||||
/* Note: if you change this to multiple connections, you also need
|
||||
to take care of the implicit option sending caching. */
|
||||
|
||||
#ifdef HAVE_W32_SYSTEM
|
||||
infostr = NULL;
|
||||
opt.prefer_system_dirmngr = 1;
|
||||
#else
|
||||
infostr = force_pipe_server? NULL : getenv ("DIRMNGR_INFO");
|
||||
if (opt.prefer_system_dirmngr && !force_pipe_server
|
||||
&&(!infostr || !*infostr))
|
||||
#endif /*HAVE_W32_SYSTEM*/
|
||||
if (infostr && !*infostr)
|
||||
infostr = NULL;
|
||||
else if (infostr)
|
||||
infostr = xstrdup (infostr);
|
||||
|
||||
if (opt.prefer_system_dirmngr && !force_pipe_server && !infostr)
|
||||
{
|
||||
infostr = DEFAULT_SOCKET_NAME;
|
||||
infostr = xstrdup (dirmngr_socket_name ());
|
||||
try_default = 1;
|
||||
}
|
||||
if (!infostr || !*infostr)
|
||||
if (!infostr)
|
||||
{
|
||||
const char *pgmname;
|
||||
const char *argv[3];
|
||||
@ -206,8 +213,7 @@ start_dirmngr (void)
|
||||
int prot;
|
||||
int pid;
|
||||
|
||||
infostr = xstrdup (infostr);
|
||||
if (!try_default && *infostr)
|
||||
if (!try_default)
|
||||
{
|
||||
if ( !(p = strchr (infostr, PATHSEP_C)) || p == infostr)
|
||||
{
|
||||
@ -234,13 +240,20 @@ start_dirmngr (void)
|
||||
pid = -1;
|
||||
|
||||
rc = assuan_socket_connect (&ctx, infostr, pid);
|
||||
#ifdef HAVE_W32_SYSTEM
|
||||
if (rc)
|
||||
log_debug ("connecting dirmngr at `%s' failed\n", infostr);
|
||||
#endif
|
||||
|
||||
xfree (infostr);
|
||||
#ifndef HAVE_W32_SYSTEM
|
||||
if (gpg_err_code (rc) == GPG_ERR_ASS_CONNECT_FAILED)
|
||||
{
|
||||
log_error (_("can't connect to the dirmngr - trying fall back\n"));
|
||||
force_pipe_server = 1;
|
||||
return start_dirmngr ();
|
||||
}
|
||||
#endif /*!HAVE_W32_SYSTEM*/
|
||||
}
|
||||
|
||||
if (rc)
|
||||
|
83
sm/gpgsm.c
83
sm/gpgsm.c
@ -491,25 +491,65 @@ static FILE *open_fwrite (const char *filename);
|
||||
static estream_t open_es_fwrite (const char *filename);
|
||||
static void run_protect_tool (int argc, char **argv);
|
||||
|
||||
/* Remove this if libgcrypt 1.3.0 is required. */
|
||||
#define MY_GCRY_PK_ECDSA 301
|
||||
|
||||
|
||||
static int
|
||||
our_pk_test_algo (int algo)
|
||||
{
|
||||
switch (algo)
|
||||
{
|
||||
case GCRY_PK_RSA:
|
||||
case MY_GCRY_PK_ECDSA:
|
||||
return gcry_pk_test_algo (algo);
|
||||
default:
|
||||
return 1;
|
||||
}
|
||||
}
|
||||
|
||||
static int
|
||||
our_cipher_test_algo (int algo)
|
||||
{
|
||||
switch (algo)
|
||||
{
|
||||
case GCRY_CIPHER_3DES:
|
||||
case GCRY_CIPHER_AES128:
|
||||
case GCRY_CIPHER_AES192:
|
||||
case GCRY_CIPHER_AES256:
|
||||
case GCRY_CIPHER_SERPENT128:
|
||||
case GCRY_CIPHER_SERPENT192:
|
||||
case GCRY_CIPHER_SERPENT256:
|
||||
case 309 /*GCRY_CIPHER_SEED*/:
|
||||
case 310 /*GCRY_CIPHER_CAMELLIA128*/:
|
||||
case 311 /*GCRY_CIPHER_CAMELLIA192*/:
|
||||
case 312 /*GCRY_CIPHER_CAMELLIA256*/:
|
||||
return gcry_cipher_test_algo (algo);
|
||||
default:
|
||||
return 1;
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
static int
|
||||
our_md_test_algo (int algo)
|
||||
{
|
||||
switch (algo)
|
||||
{
|
||||
case GCRY_MD_MD5:
|
||||
case GCRY_MD_SHA1:
|
||||
case GCRY_MD_RMD160:
|
||||
case GCRY_MD_SHA256:
|
||||
case GCRY_MD_SHA384:
|
||||
case GCRY_MD_SHA512:
|
||||
case 305 /*GCRY_MD_WHIRLPOOL*/:
|
||||
return gcry_md_test_algo (algo);
|
||||
default:
|
||||
return 1;
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
static const char *
|
||||
my_strusage( int level )
|
||||
{
|
||||
@ -571,12 +611,12 @@ build_list (const char *text, const char * (*mapf)(int), int (*chkf)(int))
|
||||
gcry_control (GCRYCTL_DROP_PRIVS); /* drop setuid */
|
||||
}
|
||||
|
||||
for (i=1; i < 110; i++ )
|
||||
for (i=1; i < 400; i++ )
|
||||
if (!chkf(i))
|
||||
n += strlen(mapf(i)) + 2;
|
||||
list = xmalloc (21 + n);
|
||||
*list = 0;
|
||||
for (p=NULL, i=1; i < 110; i++)
|
||||
for (p=NULL, i=1; i < 400; i++)
|
||||
{
|
||||
if (!chkf(i))
|
||||
{
|
||||
@ -683,12 +723,14 @@ set_cmd (enum cmd_and_opt_values *ret_cmd, enum cmd_and_opt_values new_cmd)
|
||||
/* Helper to add recipients to a list. */
|
||||
static void
|
||||
do_add_recipient (ctrl_t ctrl, const char *name,
|
||||
certlist_t *recplist, int is_encrypt_to)
|
||||
certlist_t *recplist, int is_encrypt_to, int recp_required)
|
||||
{
|
||||
int rc = gpgsm_add_to_certlist (ctrl, name, 0, recplist, is_encrypt_to);
|
||||
if (rc)
|
||||
{
|
||||
log_error (_("can't encrypt to `%s': %s\n"), name, gpg_strerror (rc));
|
||||
if (recp_required)
|
||||
{
|
||||
log_error ("can't encrypt to `%s': %s\n", name, gpg_strerror (rc));
|
||||
gpgsm_status2 (ctrl, STATUS_INV_RECP,
|
||||
gpg_err_code (rc) == -1? "1":
|
||||
gpg_err_code (rc) == GPG_ERR_NO_PUBKEY? "1":
|
||||
@ -702,6 +744,10 @@ do_add_recipient (ctrl_t ctrl, const char *name,
|
||||
"0",
|
||||
name, NULL);
|
||||
}
|
||||
else
|
||||
log_info (_("NOTE: won't be able to encrypt to `%s': %s\n"),
|
||||
name, gpg_strerror (rc));
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@ -747,6 +793,7 @@ main ( int argc, char **argv)
|
||||
certlist_t recplist = NULL;
|
||||
certlist_t signerlist = NULL;
|
||||
int do_not_setup_keys = 0;
|
||||
int recp_required = 0;
|
||||
|
||||
/*mtrace();*/
|
||||
|
||||
@ -943,9 +990,13 @@ main ( int argc, char **argv)
|
||||
set_cmd (&cmd, pargs.r_opt);
|
||||
break;
|
||||
|
||||
case aEncr:
|
||||
recp_required = 1;
|
||||
set_cmd (&cmd, pargs.r_opt);
|
||||
break;
|
||||
|
||||
case aSym:
|
||||
case aDecrypt:
|
||||
case aEncr:
|
||||
case aSign:
|
||||
case aClearsign:
|
||||
case aVerify:
|
||||
@ -1295,6 +1346,22 @@ main ( int argc, char **argv)
|
||||
opt.def_cipher_algoid = "2.16.840.1.101.3.4.1.2";
|
||||
else if (!strcmp (opt.def_cipher_algoid, "AES256") )
|
||||
opt.def_cipher_algoid = "2.16.840.1.101.3.4.1.42";
|
||||
else if (!strcmp (opt.def_cipher_algoid, "SERPENT")
|
||||
|| !strcmp (opt.def_cipher_algoid, "SERPENT128") )
|
||||
opt.def_cipher_algoid = "1.3.6.1.4.1.11591.13.2.2";
|
||||
else if (!strcmp (opt.def_cipher_algoid, "SERPENT192") )
|
||||
opt.def_cipher_algoid = "1.3.6.1.4.1.11591.13.2.22";
|
||||
else if (!strcmp (opt.def_cipher_algoid, "SERPENT192") )
|
||||
opt.def_cipher_algoid = "1.3.6.1.4.1.11591.13.2.42";
|
||||
else if (!strcmp (opt.def_cipher_algoid, "SEED") )
|
||||
opt.def_cipher_algoid = "1.2.410.200004.1.4";
|
||||
else if (!strcmp (opt.def_cipher_algoid, "CAMELLIA")
|
||||
|| !strcmp (opt.def_cipher_algoid, "CAMELLIA128") )
|
||||
opt.def_cipher_algoid = "1.2.392.200011.61.1.1.1.2";
|
||||
else if (!strcmp (opt.def_cipher_algoid, "CAMELLIA192") )
|
||||
opt.def_cipher_algoid = "1.2.392.200011.61.1.1.1.3";
|
||||
else if (!strcmp (opt.def_cipher_algoid, "CAMELLIA256") )
|
||||
opt.def_cipher_algoid = "1.2.392.200011.61.1.1.1.4";
|
||||
|
||||
if (cmd != aGPGConfList)
|
||||
{
|
||||
@ -1384,12 +1451,12 @@ main ( int argc, char **argv)
|
||||
complain about no (regular) recipients. */
|
||||
for (sl = remusr; sl; sl = sl->next)
|
||||
if (!(sl->flags & 1))
|
||||
do_add_recipient (&ctrl, sl->d, &recplist, 0);
|
||||
do_add_recipient (&ctrl, sl->d, &recplist, 0, recp_required);
|
||||
if (!opt.no_encrypt_to)
|
||||
{
|
||||
for (sl = remusr; sl; sl = sl->next)
|
||||
if ((sl->flags & 1))
|
||||
do_add_recipient (&ctrl, sl->d, &recplist, 1);
|
||||
do_add_recipient (&ctrl, sl->d, &recplist, 1, recp_required);
|
||||
}
|
||||
}
|
||||
|
||||
@ -1428,8 +1495,10 @@ main ( int argc, char **argv)
|
||||
GC_OPT_FLAG_NONE );
|
||||
printf ("auto-issuer-key-retrieve:%lu:\n",
|
||||
GC_OPT_FLAG_NONE );
|
||||
#ifndef HAVE_W32_SYSTEM
|
||||
printf ("prefer-system-dirmngr:%lu:\n",
|
||||
GC_OPT_FLAG_NONE );
|
||||
#endif
|
||||
printf ("cipher-algo:%lu:\"3DES:\n",
|
||||
GC_OPT_FLAG_DEFAULT );
|
||||
printf ("p12-charset:%lu:\n",
|
||||
|
Loading…
x
Reference in New Issue
Block a user